• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

MS ISA vs. Esoft's Instagate EX2 or others

We have about fourty users here and at the moment are only using a DSL router and NAT for protection. We have finaly talked the partners into getting a decent firewall. One of our consultants says MS ISA is the way to go. Another says his company has had nothing but trouble with MS ISA and they switched to Esoft's Instagate EX2 and they love it. Easy to setup and manage.

Does anyone have an opinion on this or a suggestion on a better firewall?

We are running W2K Servers, Exchange 5.5 (soon to be exchange 2000), DSL for internet access.

Our wants are to have the most secure firewall we can get for under $2500 - $3000. We would like to be able to block just a few specific sites.

Thanks for your advice in advance,
1 Solution

MS ISA is good too. However you will still be vulnerable to OS problems. That's the reason that I would recomend an apliance.

For that amount of moneys you can have a firewall apliance .Something like Netscreen 5 ,WatchGuard(with a plug in for webfilter).

Or if you want something based on Linux with a nice interface try Astaro (www.astaro.com) that have web proxy included and VPN capabilities (like the other two mentioned above).


I'd second the Netscreen's.  They're cheap, fast, easy to manage, and just plain work great.  You might also check out the new CheckPoint SofaWare boxes, or, depending on how small your network is, even something like an SMC Baricade.  All of these are in the sub $1000 range.

HOWEVER, this all depends on what kind of "extras" you want, like the ability to plut-in things like anti-virus scanning, content filtering, easy creatin of DMZ's, and secure connectivity for remote users.

For these things, look at the slightly higher end Netscreens, the low-end Cisco PIXes, and the Intrusion Inc. CheckPoint boxes.

MS ISA server does have these things, but as Mishou pointed out, do you really want to have the only protection of your network be a Windows box?
ditto above
ISA is too primitive, not easy to understand, built too cheap, but what do you expect from a SW company?

I dunno on Esoft's Instagate EX2, but see no reason to contradict your source.

Rule of thumb is firewall s/b hardware, and windows is vulnerabale, so get that OS behind as many real protections as you can.

Linux is quite common, for going on the cheap.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

ISA is not bad but SEVERELY limited in more complicated setups. Main hindrance is that they do not support full DeMilitarisedZone handling - filtering can only be put completely on one of the two NIC borders and not on the other. Most competitors, e.g. Checkpoint, CA and Cisco, handle this a lot better - so I suppose ESoft would do as well.

Hope this helps,

<Erik> - The Netherlands
agreed, better to do better
While you await, train staff to quit running EM/'net worms like Klez. Firewalls do not stop the humans
ref: http://www.computerworld.com/storyba/0,4125,NAV47_STO70290,00.html
"New variant of Klez worm detected By JAIKUMAR VIJAYAN (April 18, 2002)
A new variant of a worm that takes advantage of vulnerabilities in unpatched Internet Explorer and Outlook Express software from Microsoft Corp. is spreading in the wild, antivirus vendors warned. "
rodney777Author Commented:
Thanks for the info everyone.
We were looking at Watchguard's boxes last year and decided on that but now there seem to be more options and we are just trying to make sure we dont miss something.
I'm looking into checkpoint and netscreen to see how they compare to Esoft's Instagate EX2.
Another vote for Netscreen here.  My organization runs over 200 appliance firewalls, a combination of Checkpoint, PIX, and Netscreen.  The Netscreens are by far the nicest of the bunch.

If you're getting by with a DSL router right now, then I would say a Netscreen 10 would do just fine (would actually be a much higher performance firewall). You can pick one up for around $1300.
I vote for Astaro (www.astaro.com) - someone mentioned this was linux - true enough, but you'd never know it looking at the interface.  It seems to have all the functionality of every appliance I've seen, and is infinitely extensible if you know something about linux.  I can give you the name of a company that will sell you an astaro "appliance" as a drop-in solution, if you so desire.

While security through obscurity may not be a great idea, security through diversity is not such a bad thing (although it is arguably a subset of security through obscurity).  For that reason alone, stay away from MS products when choosing your firewall.


My vote is for the Watchguard Fireboxes.  They're easy/intuitive to use, fast, reliable, powerful and they have a lot of good features, such as VPN support built (l2tp from firebox, pptp from a standard Windows machine and upgradeable to l2tp from a client if you use their VPN client which isn't expensive).

They also feature NT authentication, which although not perfect is better than a lot of other products.  The HTTP Proxy (inc. Web Blocker), FTP PRoxy and SMTP Proxy are handy too).
Another vote on ISA.
A company called Microsoft tried it, and chose an alternative vendor instead.

Case closed. Between the two, one of them is an obvious loser.
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to Mishou.
Please leave any comments here within the next seven days.


EE Page Editor

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now